Blog Post

You shall not pass! Take control of your passwords in the new year

Lots of us have New Year’s resolutions and one that I’m taking on this year is password management. With web and ecommerce passwords being compromised all the time, my goal is to stop reusing passwords. I also want to use better site-only passwords and change passwords I’ve reused on various web sites.

Mac users can use Mavericks’ and iOS 7’s keychain sync plus third party apps; this won’t be hard but requires some work. It’s a bit harder for Windows users, but the peace of mind is worth it. Here’s a suggested workflow and options for managing your passwords.

Audit your existing passwords and prune your exposure

It’s time to figure out the websites with which you have registered accounts, change those passwords, and cancel the accounts on sites you no longer use. I was lazy, and reused passwords on multiple sites. If you do nothing else, make sure you don’t re-use the same password on different sites, and cancel accounts for sites you no longer use. A great tool for canceling accounts is AccountKiller [a]

Safari and other accounts (Mac)

To see which passwords Safari has saved, go to Safari’s Preferences and then click on Passwords. You’ll see a list of websites along with your username and password to that website. To see the password, check “show passwords for selected websites.” If it’s a website you no longer intend on using (maybe you signed up for a free trial), then it’s probably a good idea to login and cancel the account to help reduce the risk of your personal information getting out if the website’s membership list is hacked. However, to play it safe, change your password on that site before canceling the account so that way if you reused that password somewhere else, you are still safe.

For passwords not saved in Safari (chat apps, other browsers, and so forth) it’s time to head into the Keychain Access app located in your Utilities Folder within Applications. Click on passwords and peruse what’s there. Follow the link to the corresponding website (such as Skype.com) and change your password; if you don’t use the service, cancel the account after changing the password.

Firefox (Mac or PC)
Firefox has its own Password Manager that tracks saved passwords and corresponding websites. This tutorial (http://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-passwords) does a great job explaining how to go in and find the passwords. Login, change, and (if needed) cancel accounts.

Chrome (Mac or PC)
Similar to Firefox, Google’s has its own password management system which can be found here https://support.google.com/chrome/answer/95606?hl=en Login, change, and (if needed) cancel accounts.

Internet Explorer (PC)
IE does not have a directly accessible password management systems. Third party software exists for IE, but I don’t have a specific program that I can recommend. For IE users, look at your bookmarks to find websites you’ve been to and login, change and (if needed) cancel your accounts there.

Creating a new random password

The easiest way is to ask Siri. Siri has the ability to use Wolfram Alpha and if you say “Wolfram Password” Siri will generate you an 8 character random password. If you’d like more control or don’t have Siri, just go to Wolfram Alpha, search for password, and type in the number of characters you need in the password such as a 10-character password. If you click on Specific Password Rules you can ask it to require a number, a special character or so forth. Mac users can also use Apple’s built-in Password Assistant to generate a random password by opening the Keychain application, selecting New Password Item from the File menu, and then clicking the key icon. All the password management options discussed below also have random password generation capabilities.

Password management options

The reason I used the same password multiple places was obvious – so I can remember it. I needed a better solution. Fortunately, there are several great password management solutions. Each of these works like a digital safe, storing all your passwords securely, and requiring you to only remember a single password (which should be unique) to “unlock.”

Here’s a breakdown of each one and the best use scenario.

1) iCloud Keychain – Apple’s built-in solution
If you are a Mac user up to date on your Mac OS and iOS versions, and live primarily within the Apple ecosystem, then using iCloud Keychain is a great choice. Passwords stored on one device will be synced to other devices via iCloud. For truly transparent use across devices you’ll need to use Safari and the default Mail apps on both your Mac and your iPhone or iPad. Developers have to support the iCloud keychain integration and many do not. Any device that uses Mavericks or iOS 7 and is logged into your iCloud ID will have access to these passwords and log you in automatically when the app supports it. This will not give you access to secure notes, and to actually read the password to use with an unsupported application, you’ll need to open up your Keychain Access program on your Mac or your Safari settings in iOS 7. Unless you have Keychain Access open on your Mac, you can’t create a random secure password (see above regarding Siri and Wolfram Alpha).

The key to this option is (pardon the pun) making sure you have current versions of the OSes on your Mac and mobile devices and not to use many third party applications such as Chrome. Using a non-Apple device such as a Windows machine or Android based device isn’t supported.

Best for: Users who are up to date on their operating systems and use exclusively Apple devices and default Apple apps.

2) Firefox or Chrome’s password management solution
As mentioned earlier, Chrome and Firefox have password managers and they can be set to sync across multiple devices including mobile devices. If you tend to like a non-default browser (IE or Safari) on your system, then this is an excellent choice. These solutions of course are limited to website login credentials and can’t include secure notes. They also don’t provide two-factor security in any form.

Best for: Users of Firefox or Chrome browsers who stick with their browser choice across platforms.

3) LastPass – Cross-platform cloud and browser based

LastPass is a subscription-based service that stores your passwords securely in the cloud. If you don’t need to access your passwords on a mobile device, the service is free. This allows you to sync passwords across different computers – Macs, Windows PCs, and even Linux systems. It does its management via a browser extension. Install the browser extension and you’ll have access to the passwords once logged in. Options to access your passwords offline exist via the Pocket app as well as a variety of two factor authentication services such as a USB key or Google Authenticator. Usually you access your passwords via the browser.

To access the passwords via mobile device you’ll need the subscription service, which costs $1 a month purchased in one year increments. This gives you access on mobile devices as well as priority support and more two token authentication options. The mobile devices supported extend beyond Android and iOS and includes both Windows and Blackberry. Unlike iCloud keychains or Chrome/Firefox password management, you can store secure notes here so I can keep information private and still synchronize it. I keep things like locker combinations and voicemail passwords in secure notes.

One feature I like about LastPass is a security audit that determines the quality of your passwords. LastPass will also tell you if your email address(es) were involved in any known security breaches. For example, it warned me that my email address was one of the accounts stolen in the Adobe hack.

As long as you don’t need to access your passwords on a mobile device, the service is free so it’s a good step for those who want to manage passwords and aren’t up to date on OS versions.

Best for: Windows users with more comprehensive needs then what is built into browsers, Apple users who aren’t up to date, other users with no need for mobile access or those who desire two-factor authentication.

4) 1Password – application based

1Password is a standalone application and isn’t cloud-based. If you wish to sync your passwords automatically across devices 1Password you can do it via Dropbox’s API, though other options exist depending on your needs. Syncing can also be done manually. This gives you maximum control.

This program requires a purchase for each platform. Current pricing for the Mac OS or Windows version is $49.99. Purchasing both in a bundle is $69.99 and the iOS version is $9.99. The Android version is currently free but does not support modification of the contents; it’s read only. Browser extensions are included with purchase on the platform desired. Compared to LastPass this is expensive, but it’s a one-time cost.

Personally I use 1Password and like the well-designed user interface on both the MacOS and Windows. On the Mac, a handy menu bar icon allowed me to not just access the program but to log into a site with the saved password very easily. I use it as a bookmark manager for key protected sites. The program also includes categories for Software Licenses, credit cards, and loyalty cards as well as secure notes. I could do this in LastPass via their secure note option, but it wasn’t as elegant with the preassigned categories and suggestions.

Missing from this program is two-factor authentication, which they address in this blog post. While Dropbox can be supported via two-factor authentication and thus synchronization can be protected, fewer options exist for protection at the desktop level. 1Password can do a security audit to determine the quality of your passwords, but can’t tell you if your email address was comprised like LastPass can. It can warn you if a password is too old and thus might be ripe for a change.

Best for: Users who want a really good user interface or prefer a native application. Users who prefer control over password sync, and like a one-time cost.

Other possible options

Keepass is an open-source and free program to manage passwords that works cross platform. This means that it is without direct support, but gives you maximum control if you know how to use it. Evernote has a secure note function that can be used to store passwords. Since Evernote does have two-factor authentication, it may be a viable option to synchronize and store passwords, however you might consider some of the ideas I mention in this article to obscure your data. Add Other companies offer password management solutions, but the ones mentioned in the article tend to be the most popular and contrast the different options.

Final thoughts

Sure it’s going to be a pain, but if you cringe every time you hear the news about a password breach, you’ll be more at ease knowing that you didn’t use the same password everywhere and the passwords you chose were secure and unique. With these password management options you’ll actually be able to remember the next time you need that password.

Personally I’m still not sure if I like 1Password or LastPass better, but at least I know my passwords are secure and safe. Which password management programs do you prefer and why?